Table Of Contents
Configuring Security Access Control Lists
Configuring Comments in an Extended ACL
Applying an ACL to an Interface
Applying an ACL Globally to All Interfaces in a Context
IP Addresses for ACLs with NAT
Displaying ACL Configurational Information and Statistics
Displaying ACL Configurational Information
Configuring Security Access Control Lists
This chapter describes security access control lists (ACLs) and how to configure them on your Cisco Application Control Engine (ACE) module. ACLs provide basic security for your network by filtering traffic and controlling network connections. This chapter consists of the following major sections:
•
ACL Configuration Quick Start
•
Overview
An ACL consists of a series of statements called ACL entries that collectively define the network traffic profile. Each entry permits or denies network traffic (inbound and outbound) to the parts of your network specified in the entry. Besides an action element (permit or deny), each entry also contains a filter element based on criteria such as source address, destination address, protocol, protocol-specific parameters, and so on. An implicit deny-all entry exists at the end of every ACL, so you must configure an ACL on every interface where you want to permit connections. Otherwise, the ACE denies all traffic on the interface.
ACLs provide basic security for your network by allowing you to control network connection setups rather than processing each packet. Such ACLs are commonly referred to as security ACLs.
You can configure ACLs as parts of other features (for example, security, network address translation (NAT), server load balancing (SLB), and so on). The ACE merges these individual ACLs into one large ACL called a merged ACL. The ACL compiler then parses the merged ACL and generates the ACL lookup mechanisms. A match on this merged ACL can result in multiple actions.
When you use ACLs, you may want to permit all e-mail traffic on a circuit, but block Telnet traffic. You can also use ACLs to allow one client to access a part of the network and prevent another client from accessing that same area.
When configuring ACLs, you must apply an ACL to an interface to control traffic on that interface. Applying an ACL on an interface assigns the ACL and its entries to that interface.
You can apply only one extended ACL to each direction (inbound or outbound) of an interface. You can also apply the same ACL on multiple interfaces.You can apply ethertype ACLs only in the inbound direction and only on Layer 2 interfaces.
ACL Types and Uses
You can configure two types of ACLs on the ACE. The ACL types and their uses are:
•
•
Note
ACL Guidelines
This section describes the guidelines to observe when you configure and use ACLs in your network. It contains the following subsections:
•
ACL Entry Order
An ACL consists of one or more entries. Depending on the ACL type, you can specify as match criteria the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP type, ICMP code, or the EtherType. By default, the ACE appends each ACL entry at the end of the ACL. You can also specify the location of each entry within an ACL.
The order of the entries is important. When the ACE decides whether to accept or refuse a connection, the ACE tests the packet against each ACL entry in the order in which the entries are listed. After it finds a match, the ACE does not check any more entries. For example, if you create an entry at the beginning of an ACL that explicitly permits all traffic, the ACE does not check any further statements in the ACL.
ACL Implicit Deny
All ACLs have an implicit deny entry at the end of the ACL, so, unless you explicitly permit it, traffic cannot pass. For example, if you want to allow all users to access a network through the ACE except for those with particular IP addresses, then you need to deny the particular IP addresses in one entry and then permit all other IP addresses in another entry.
Maximum Number of ACL Entries
The ACE supports a maximum of 64,000 entries. Some ACLs use more memory than others, and these include ACLs that use large port number ranges or overlapping networks (for example one entry specifies 10.0.0.0/8 and another entry specifies 10.1.1.0/24). Depending on the type of ACL, the actual limit the ACE can support may be less than 64,000 entries.
If you exceed the memory limitations of the ACE, the module generates a syslog message and increments the Download Failures counter in the output of the show interface vlan number command. The configuration remains in the running-config and the interface stays enabled. The ACL entries stay the same as they were before the failing configuration was attempted.
For example, if you add a new ACL with 10 entries, but the addition of the sixth entry fails because of memory exhaustion, the ACE removes the five entries that you successfully entered.
ACL Configuration Quick Start
Table 1-1 provides a quick overview of the steps required to configure ACLs. Each step includes the CLI command or a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 1-1.
Configuring ACLs
To configure ACLs on your ACE, use the following procedures:
•
•
•
•
Configuring an Extended ACL
An extended ACL allows you to specify both the source and the destination IP addresses of traffic as well as the following parameters:
•
•
You can specify these parameters directly in the access-list command.
For TCP, UDP, and ICMP connections, you do not need to also apply an ACL on the destination interface to allow returning traffic, because the ACE allows all returning traffic for established connections.
Note
Tip
To create an extended ACL, use the access-list extended command in configuration mode. There are three major types of extended ACLs:
•
•
•
You can permit or deny network connections based on IP protocol and source and destination IP addresses. To configure an IP extended ACL, use the following syntax:
access-list name [line number] extended {deny | permit} {protocol} {src_ip_address netmask | any | host src_ip_address} {dest_ip_address netmask | any | host dest_ip_address}
In addition to the protocol and IP addresses, you can permit or deny network connections based on TCP or UDP source or destination ports. To configure a TCP or a UDP extended ACL, use the following syntax:
access-list name [line number] extended {deny | permit}{tcp | udp}} {src_ip_address netmask | any | host src_ip_address} [operator port1 [port2]] {dest_ip_address netmask | any | host dest_ip_address} [operator port3 [port4]]
Lastly, you can permit or deny network connections based on the ICMP type (for example, echo, echo-reply, unreachable, and so on). To configure an ICMP extended ACL, use the following syntax:
access-list name [line number] extended {deny | permit} icmp {src_ip_address netmask | any | host src_ip_address | {any | host dest_ip_address | dest_ip_address netmask} [icmp_type] [code operator code]
The keywords and arguments are:
•
•
•
•
•
•
•
•
•
•
–
–
–
–
–
•
•
•
•
•
–
–
–
–
–
•
•
•
•
–
–
–
–
–
•
For example, to configure a TCP extended ACL, enter:
host1/Admin(config)# access-list INBOUND line 10 extended permit tcp 192.168.12.0 255.255.255.0 gt 1024 172.27.16.0 255.255.255.0 lt 4000For example, to remove an entry from an extended ACL, enter:
host1/Admin(config)# no access-list INBOUND line 10To control ping, specify echo (8) (host to ACE).
For example, to allow an external host with IP address 192.168.12.5 to ping a host behind the ACE with an IP address of 10.0.0.5, enter:
host1/Admin(config)# access-list INBOUND permit icmp host 192.168.12.5 host 10.0.0.5 echoFor example, to remove an entry from an ICMP ACL, enter:
host1/Admin(config)# no access-list INBOUND permit icmp host 192.168.12.5 echoConfiguring Comments in an Extended ACL
You can add comments about an extended ACL to clarify the function of the ACL. To add a comment to an ACL, use the access-list name remark command in configuration mode. You can enter only one comment per ACL and the comment always appears at the beginning of the ACL. The syntax of this command is:
access-list name remark text
•
•
For example, enter:
host1/Admin(config)# access-list INBOUND remark This is a remarkFor example, to remove entry comments from an ACL, enter:
host1/Admin(config)# no access-list INBOUND line 200 remarkIf you delete an ACL using the no access-list name command, then all the remarks are also removed.
Configuring an EtherType ACL
You can configure an ACL that controls traffic based on its EtherType. An EtherType is a sub-protocol identifier. EtherType ACLs support Ethernet V2 frames. EtherType ACLs do not support 802.3-formatted frames because they use a length field as opposed to a type field. The only exception is bridge protocol data units (BPDUs), which are SNAP-encapsulated, and the ACE is designed to specifically handle BPDUs.
For example, you can permit or deny BPDUs. By default, all BPDUs are denied. The ACE receives trunk port (Cisco proprietary) BPDUs because ACE ports are trunk ports. Trunk BPDUs have VLAN information inside the payload, so the ACE modifies the payload with the outgoing VLAN if you allow BPDUs. If you configure redundancy, you must allow BPDUs on both interfaces with an EtherType ACL to avoid bridging loops. For details about configuring redundancy, refer to the Cisco Application Control Engine Module Administration Guide.
If you allow MPLS, ensure that Label Distribution Protocol (LDP) and Tag Distribution Protocol (TDP) TCP connections are established through the ACE by configuring both MPLS routers connected to the ACE to use the IP address on the ACE interface as the router-id for LDP or TDP sessions. LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.
Note
On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the ACE:
host1/Admin(config)# mpls ldp router-id interface forceor
host1/Admin(config)# tag-switching tdp router-id interface force
Tip
To configure an EtherType ACL, use the access-list ethertype command in configuration mode. The syntax of this command is:
access-list name ethertype {deny | permit} {any | bpdu | ipv6 | mpls}
The keywords and arguments are:
•
•
–
–
–
–
–
–
Note
For example, to configure an Ethertype ACL for MPLS, enter:
host1/Admin(config)# access-list INBOUND ethertype permit mplsTo remove an entry from an EtherType ACL, enter:
host1/Admin(config)# no access-list INBOUND ethertype permit mplsResequencing Entries
To resequence the entries in an ACL with a specific starting number and interval, use the access-list name resequence command in configuration mode. The syntax of this command is:
access-list name resequence [number1][number2]
•
•
•
•
For example, enter:
host1/Admin(config)# access-list INBOUND resequence 5 15Applying an ACL to an Interface
Before you can start using a configured ACL, you must apply it to one or more interfaces.
To apply an ACL to the inbound or outbound direction of an interface and make the ACL active, use the access-group command in interface configuration mode. You can apply one ACL of each type (extended and EtherType) to both directions of the interface. See the "Inbound and Outbound ACLs" section for more information about ACL directions.
Note
For connectionless protocols, you need to apply the ACL to the source and destination interfaces if you want traffic to pass in both directions. For example, you can allow BGP in an ACL in transparent mode, and you need to apply the ACL to both interfaces.
The syntax of this command is:
access-group {input | output} acl_name
The keywords and arguments are:
•
•
For example, enter:
host1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input INBOUNDTo remove an ACL from an interface, enter:
host1/Admin(config-if)# no access-group input INBOUNDApplying an ACL Globally to All Interfaces in a Context
You can apply an ACL to all interfaces in a context at once, subject to the following conditions:
•
•
•
•
•
To apply an ACL globally to all interfaces in a context in the inbound direction, use the access-group command in configuration mode. The syntax of this command is:
access-group input acl_name
For the acl_name argument, enter the identifier of an existing ACL as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
You can use this command to allow all traffic on all interfaces in a context by applying an ACL similar to the following example:
host1/Admin(config)# access-list ALL_ACCESS permit ip any anyThen, apply the ACL globally, by entering:
host1/Admin(config)# access-group input ALL_ACCESSTo remove the ACL from all interfaces in the context, enter:
host1/Admin(config)# no access-group input ALL_ACCESSFiltering Traffic with an ACL
You can use an ACL to filter interesting traffic and instruct the ACE to either permit or deny the traffic based on the action in the ACL. To filter traffic using an ACL, use the match access-list command in a Layer 3 and Layer 4 class map.
When a packet matches an entry in an ACL, and if it is a permit entry, the ACE allows the matching result. If it is a deny entry, the ACE blocks the matching result. For details about configuring a Layer 3 and Layer 4 class map and policy map, refer to the Cisco Application Control Engine Module Administration Guide.
ACL Configurational Examples
This section provide examples of the different types of ACLs available in the ACE. It includes the following subsections:
Examples of Extended ACLs
This section provides examples of extended ACLs. Use extended ACLs when you want to specify both the source IP address and the destination IP address (IP), ports (TCP or UDP), and ICMP types. For details about configuring extended ACLs, see the "Configuring an Extended ACL" section.
The following ACL allows all hosts (on the interface to which you apply the ACL) to go through the ACE:
host1/Admin(config)# access-list ACL_IN extended permit ip any anyThe following ACL prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27 network. All other addresses are permitted:
host1/Admin(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224host1/Admin(config)# access-list ACL_IN extended permit ip any anyIf you want to restrict access to only some hosts, then enter a limited permit entry. By default, all other traffic is denied unless explicitly permitted.
host1/Admin(config)# access-list ACL_IN extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224For a list of permitted keywords and well-known port assignments, refer to Table 1-2. DNS, Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP.
The following ACL example restricts all hosts (on the interface to which you apply the ACL) from accessing a website at address 209.165.201.29. All other traffic is allowed.
host1/Admin(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq wwwhost1/Admin(config)# access-list ACL_IN extended permit ip any anyThe following ACLs allow all inside hosts to communicate with the outside network, but only specific outside hosts to access the inside network:
host1/Admin(config)# access-list OUT extended permit ip any anyhost1/Admin(config)# access-list IN extended permit ip host 209.168.200.3 anyhost1/Admin(config)# access-list IN extended permit ip host 209.168.200.4 anyThe following examples illustrate ICMP ACLs. For details about configuring ICMP ACLs, see the "Configuring an Extended ACL" section.
host1/Admin(config)# access-list INBOUND extended permit icmp any any echohost1/Admin(config)# access-list INBOUND extended permit icmp host 10.0.0.1 host 20.0.0.1 unreachable code range 0 3Inbound and Outbound ACLs
Traffic flowing across an interface in the ACE can be controlled in two ways:
•
•
To allow any traffic to enter the ACE, you must attach an inbound permit ACL to an interface; otherwise, the ACE automatically refuses all traffic that enters that interface. By default, traffic can exit the ACE on any interface unless you restrict it using an outbound ACL, which adds restrictions to those already configured in the inbound ACL.
Note
You may want to use an outbound ACL to simplify your ACL configuration. For example, if you want to allow three inside networks on three different interfaces to access each other, you can create a simple inbound ACL that allows all traffic on each inside interface. (See Figure 1-1.)
Figure 1-1 Inbound ACLs
See the following commands for this example:
host1/Admin(config)# access-list INSIDE extended permit ip any anyhost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input INSIDEhost1/Admin(config)# access-list HR extended permit ip any anyhost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input INSIDEhost1/Admin(config)# access-list ENG extended permit ip any anyhost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input INSIDEThen, if you want to allow only certain hosts on the inside networks to access a web server on the outside network, you can create a more restrictive ACL that allows only the specified hosts and apply it to the outbound direction of the outside interface (see Figure 1-2). For information about NAT and IP addresses, see the "IP Addresses for ACLs with NAT" section. The outbound ACL prevents any other hosts from reaching the outside network.
See the following commands for this example:
host1/Admin(config)# access-list INSIDE extended permit ip any anyhost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input INSIDEhost1/Admin(config)# access-list HR extended permit ip any anyhost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input INSIDEhost1/Admin(config)# access-list ENG extended permit ip any anyhost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input INSIDEhost1/Admin(config)# access-list OUTSIDE extended permit tcp host 209.165.201.4 host 209.165.200.225 eq wwwhost1/Admin(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6 host 209.165.200.225 eq wwwhost1/Admin(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8 host 209.165.200.225 eq wwwhost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group output OUTSIDEFigure 1-2 Outbound ACL
IP Addresses for ACLs with NAT
When you use NAT, the IP addresses you specify for an ACL depend on the interface to which the ACL is attached. You need to use addresses that are valid on the network that is connected to the interface. This guideline applies for both inbound and outbound ACLs: the direction does not determine the address used, only the interface does.
For example, suppose that you want to apply an ACL to the inbound direction of the interface. You configure the ACE to perform NAT on the inside source addresses when they access outside addresses. Because the ACL is applied to the inside interface, the source addresses are the original untranslated addresses. Because the outside addresses are not translated, the destination address used in the ACL is the real address (see Figure 1-3).
Figure 1-3 IP Addresses in ACLs: NAT Used for Source Addresses
See the following commands for this example:
host1/Admin(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225host1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input INSIDEIf you want to allow an outside host to access an inside host, you can apply an inbound ACL on the outside interface. You need to specify the translated address of the inside host in the ACL because that address is the address that can be used on the outside network. (See Figure 1-4.)
Figure 1-4 IP Addresses in ACLs: NAT used for Destination Addresses
See the following commands for this example:
host1/Admin(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5host1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input OUTSIDEIf you perform NAT on both interfaces, then keep in mind the addresses that are visible to a given interface. In Figure 1-5, an outside server uses static NAT so that a translated address appears on the inside network.
Figure 1-5 IP Addresses in ACLs: NAT used for Source and Destination Addresses
See the following commands for this example:
host1/Admin(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 10.1.1.56host1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input INSIDEFor an example of IP addresses used in outbound ACLs, see Figure 1-2.
Examples of Ethertype ACLs
This section provides examples of Ethertype ACLs. For details about configuring an EtherType ACL, see the "Configuring an EtherType ACL" section.
For example, the following sample ACL allows common EtherTypes originating on the inside interface:
host1/Admin(config)# access-list ETHER ethertype permit ipv6host1/Admin(config)# access-list ETHER ethertype permit bpduhost1/Admin(config)# access-list ETHER ethertype permit mplshost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group output ethertype ETHERThe following ACL allows some EtherTypes through the ACE, but denies IPX:
host1/Admin(config)# access-list ETHER ethertype deny ipxhost1/Admin(config)# access-list ETHER ethertype permit bpduhost1/Admin(config)# access-list ETHER ethertype permit mplshost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input ethertype ETHERThe following ACL denies traffic with EtherType bpdu but allows all others on both interfaces:
host1/Admin(config)# access-list nonIP ethertype deny bpduhost1/Admin(config)# access-list nonIP ethertype permit anyhost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input ethertype nonIPDisplaying ACL Configurational Information and Statistics
This section describes the show commands you can use to display ACL configurations and statistics. It includes the following subsections:
•
Displaying ACL Configurational Information
To display all ACL configurational information, including the interfaces on which you applied the ACLs, use the show running-config command. The syntax of this command is:
show running-config
To display only the ACLs and their entries, use the show running-config access-list command in Exec mode. The syntax of this command is:
show running-config access-list
Displaying ACL Statistics
To display ACL statistics for a particular ACL, use the show access-list command. The syntax of this command is:
show access-list name
For the name argument, enter the name of an existing ACL as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Table 1-5 describes the fields in the show access-list command output.
Clearing ACL Statistics
To clear ACL statistics (hit counts for ACL entries), use the clear access-list command in Exec mode. The syntax of this command is:
clear access-list name
The name argument identifies an existing ACL. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
For example, enter:
host1/Admin# clear access-list acl1
Note
